In the weeks running up to the Vision 2011 and OPUS 2011 conferences,
experts within IBM Business Analytics Financial Performance and
Strategy Management posed these and other questions to Christopher Cox, a
former SEC Chairman and keynote speaker at both events. Below is a
transcript of that interview.

Looking forward into the next three years,
what are some of the key drivers in the US that will be shaping
regulatory and compliance reform? How are those different from the past
five years?

The most significant characteristic of the time we are living in
right now is the remarkable pace of change, both in legislation and in
regulations governing corporate America, in particular the financial
services sector.

Of course, the Dodd-Frank 2,300-page behemoth is well-known already
to senior finance executives. But what is unknowable are the hundreds of
rules that will be forthcoming under that legislation. The schedule
called for in the statute has the bulk of the final rule makings
scheduled for completion in the third quarter of 2011. It is very clear
across the regulatory agencies that these deadlines are going to be
largely missed.

As a result, not only will there be regulatory uncertainty on a
continuing basis this year, but also for several years into the future.
There are over 100 rule makings that have no statutory deadline at all. I
think a significant share of even those that were expected to be
completed earlier will also be rolled into the future. So during all of
this time, senior Finance executives are going to have to be reading the
tea leaves – not to mention the statute itself – to determine how to
comply. And it isn’t just Dodd-Frank, of course, where we have all this
legislative and regulatory ferment. The unprecedented rapid pace of
chance in law and regulation and the continued uncertainty about what
the government will do next pertains to the tax area as well. During the
last year alone, Congress enacted no fewer than six major pieces of tax
legislation – including the two “Obamacare” bills, the HIRE Act, the
Education Jobs Act, the Small Business Jobs Act and, of course the
year-end Tax Relief Act that temporarily extended the current tax rates.

That last piece of legislation bought us at least two years of tax
certainty, but when it comes to long-term capital gains or any of the
other rules governing the taxation of investment, two years are scarcely
enough to permit long-term planning, and so the uncertainty continues.

That uncertainty about where financial, tax and regulatory policy are
headed in turn creates a challenging environment within companies and
within firms when it comes to shaping their response to regulatory and
compliance changes. That’s the environment in which we find ourselves.
Given the extent of this change and the predictable uncertainty that
will continue for several years, it is very important that companies
respond to this in ways that are exceptionally flexible.

How should Finance organizations prepare for this future
regulatory environment in spite of uncertainties, particularly global
companies that do business in multiple jurisdictions? What sustainable
practices in their control and reporting processes and systems do they
need to invest in to prepare for the future?

Being globally active, of course, only ramps up the uncertainty
because the requirements from multiple jurisdictions are layered on the
responsibility of senior Finance executives for U.S. compliance. It is
nonetheless possible to synthesize thematically many of the global
requirements, because at least topically, they have very much in common.

What is most important is that the different parts of a global
organization can talk to one another and that the human beings who must
extract information from the IT systems that collect and disgorge that
information can rationalize it. In particular, companies that address
these changes in ways that are adaptable and flexible will have a clear
advantage. Companies that fail to manage the process in this way will
likely find their companies non-compliant and their risk management
practices called into question – not only by regulators, but also by
their shareholders and their customers.

Do you think that the passage of Dodd-Frank will reduce
systemic risk and improve stability in our financial services
institutions?

Unfortunately, the Dodd-Frank Act failed to address several of the
most significant causes of instability in the financial system and
sources of systemic risk. The first is the status of the
government-sponsored enterprises (GSEs), Fannie Mae and Freddie Mac.
Their current status in federal conservatorship is unsustainable. The
government’s ongoing ownership and use of these GSEs as instruments of
policy to stimulate the housing market is inconsistent with the
ostensible aim of the legal conservatorships into which they’ve been
placed, which is to restore them to financial health.

This is particularly salient, as the conservatorships have required
the GSEs to engage in practices that support housing at the expense of
their financial well-being. Likewise, the government’s completely
unjustifiable practice of keeping these two GSEs off the federal balance
sheet, even as they are under government ownership, makes a mockery of
financial reporting norms and honest accounting. Addressing this glaring
omission in the Dodd-Frank Act remains a top priority of financial
reform.

Next in importance is the inadequacy of bank capital and liquidity
standards. Dodd-Frank did not adequately address the obvious failure of
the Basel standards in the financial crisis. Those standards continue to
create powerful incentives for asset concentration in mortgages and a
reliance on credit ratings, and of course both of those had a role in
generating the mortgage bubble that led to the financial crisis.

So the short answer to that question would be “No.”

Correct. I’d also say that Dodd-Frank has given the Financial
Stability Oversight Council a strong incentive to protect competitors
rather than to protect competition, which might take market share from
the dominant firms. The systemically important designation implies
government readiness to support those firms in a crisis, perversely
encouraging more risky behavior despite the more stringent capital and
other requirements and thus deepening moral hazard.

Can you discuss some of the best practices for boards of
directors with regard to risk oversight? Do you think that changes in
proxy disclosure with regard to risk governance has had an impact on
risk management practices?

Yes. In 2010, the SEC added requirements for proxy statement
discussion of a company’s board leadership structure and its role in
risk oversight. Now companies are required to disclose in their annual
reports the extent of the board’s role in risk oversight, and they’re
required to address such topics as how the board administers its
oversight function, the effect that risk oversight has on the board’s
processes, and whether and how the board or one of its committees
monitors risk. That increased focus on risk management has had
considerable and very earnest take-up across the corporate community.

There are several types of actions that companies and their
appropriate committees have been taking to step up their focus on risk
management. Without question, they are spending more time with
management, and isolating the categories of risk that the company faces –
focusing on risk concentrations and interrelationships, the likelihood
that these risks might materialize, and the effectiveness of the
company’s potential mitigating measures.

Many companies have created risk management committees. Financial
companies, of course, that are covered by Dodd-Frank must have
designated risk management committees, but boards of other companies
have carefully considered the appropriateness of a dedicated risk
committee, and many of them have found it prudent to create one. In
other cases, boards have delegated oversight of risk management to the
audit committee, which is consistent with the New York Stock Exchange
rule that requires the audit committee to discuss policies with respect
to risk assessment and risk management.

For large-cap companies that have a Big Board listing, that has
continued to be another way to address these heightened concerns. I
think boards are carefully bearing in mind that different kinds of risks
may be better-suited to the expertise of different kinds of committees,
so they may not always wish to stovepipe responsibility for risk in a
single committee.

Above all, best practices today are focused on the fact that
regardless of how the board subdivides its responsibilities, the full
board has the responsibility to satisfy itself that the activities of
its various committees are co-ordinated and that the company has
adequate risk management processes in place.

It’s a fascinating world. I can see why if you’re a controller or CFO it’s an exciting but intense place to be.

I think that’s absolutely right. All of these changes we’ve discussed
– in particular in the US – mean that we are entering an era of
unprecedented demand on companies’ governance, risk, and compliance
processes and IT infrastructures. I think that companies have dealt with
regulatory changes over the past half-century largely incrementally.
They’ve made adjustments to their enterprise-wide systems as needed to
comply with what have been modest changes from year to year. But given
the enormous scope of changes in these forthcoming new regulations,
companies will find it necessary to find a comprehensive and holistic
approach to at least regulatory reporting – and, in my view, their
management control as well.

Companies have traditionally relied on different processes to gather
enterprise data to help management run the business on the one hand, and
to gather data in order to satisfy regulators, on the other. In part,
that was sustainable because the information that regulators were
requiring was historical and post-facto. But things are rapidly changing
under these new frameworks. Regulators including the SEC are now
requiring information that is risk-based and predictive. While that is a
big change, it’s also a significant silver lining in that this will
align the process of collecting and gathering information more closely
with what management needs. That means that CIOs should be looking for
ways to integrate their regulatory and their management reporting
processes. For that reason, regulatory reporting doesn’t have to be
viewed as sheer cost, or necessary evil. Instead, there can be
significant efficiencies and productivity gains for the enterprise by
merging the requirements of management and regulatory data gathering
processes.

This convergence will also allow companies to restructure their data
in a way that will feed predictive analytical systems. That, in turn,
can lead to an improvement in both risk management at the board level,
and risk-based decision-making processes at the management level.

About Christopher Cox, Former Chairman, United States Securities and Exchange Commission (SEC)

Beginning in 1988, when he was elected to the House of
Representatives, Christopher Cox established a record of legislative
accomplishments that elevated him to the top of the Congressional
leadership. His wide range of expertise in a variety of complex issues
gives him the ability to take the long view of the economic future,
predicting both the actions of Congress and the effects those actions
will have on the marketplace. The author of the Internet Tax Freedom
Act, which protects Internet users from multiple and discriminatory
taxation, Cox held leadership positions ranging from chairmanships on
committees and taskforces overseeing everything from budget process
reform and policy to homeland security and financial services. During
his tenure as chairman of the Securities and Exchange Commission, he
continued this fight for justice and transparency in the world of
investing.

An Accomplished Lawmaker and Reformer. During his
seventeen years in Congress, Cox served in the majority leadership of
the U.S. House of Representatives. He authored the Private Securities
Litigation Reform Act, which protects investors from fraudulent
lawsuits, and his legislative efforts to eliminate the double tax on
shareholder dividends led to legislation that cut the double tax by more
than half. In addition, he served in a leadership capacity as a senior
member of every committee with jurisdiction over investor protection and
U.S. capital markets, including the Energy and Commerce Committee, the
Financial Services Committee, the JointEconomic Committee, and the
Budget Committee.

An Advocate for Investors. At the SEC, Cox focused
on the enforcement of securities law enforcement, bringing a variety of
groundbreaking cases against market abuses such as hedge fund
insider-trading, stock options backdating, and municipal securities
fraud. He also helped turn the Internet into a secure environment, free
of securities scams, and he worked to halt fraud aimed at senior
citizens. As SEC chairman, he was one of the world’s leaders in the
effort to integrate U.S. and overseas regulatory policies in this era of
global capital markets, making international securities exchanges safe,
profitable, and transparent. As part of an overall focus on the needs
of individual investors, Cox reinvigorated the SEC’s initiative to
provide important investor information in plain English, championing the
investor’s right to a transparency. His reforms included transforming
the SEC’s system of mandated disclosure from a static, form-based
approach to one that taps the power of interactive data to give
investors qualitatively better information about companies, mutual
funds, and investments of all kinds.

In 1994 Cox was appointed by President Clinton to the bipartisan
commission on entitlement and tax reform, which published its unanimous
report in 1995. From 1986 until 1988, he served in as senior associate
counsel to President Reagan. From 1978-1986, he specialized in venture
capital and corporate finance with Latham & Watkins. Cox received an
M.B.A. from Harvard Business School and a J.D. from Harvard Law
School, where he was an Editor of the Harvard Law Review.

If you’re in or work with the financial services industry, you probably know about the late December holiday "gift" from the U.S. Federal Reserve – proposed rules implementing provisions of the Dodd-Frank Act which could have a profound effect on how boards and managements deal with risk. In any event, you’ll want to keep in mind that the Fed is accepting comments only for the next month – until March 31.

The proposed rules are far-reaching, including requirements for risk-based capital and leverage, liquidity, stress tests, single-counter-party credit limits, debt-to-equity limits, and early remediation. They apply generally to bank holding companies with consolidated assets of $50 billion or more, as well as non-bank firms designated as systemically important. But some of the rules – those for stress testing, and requiring board level risk committees and related risk management activities – also apply to smaller public firms with consolidated assets of $10 billion. Obviously, reading the fine print is important for all who may be subject to these proposals.

The risk committee is required to "document and oversee, on an enterprise-wide basis, the risk-management practices of the company's worldwide operations." The committee would be chaired by an independent director, and at least one member needs to have risk-management expertise commensurate with the company's size, complexity, and other risk-related factors. Further, its members are expected to understand risk-management principles and practices relevant to the company, with specified experience in risk management. And there are rules for a committee charter, meetings, and documentation.

The committee’s responsibilities include reviewing and approving an appropriate risk-management framework commensurate with the company's size and other factors. The framework’s scope is outlined, including requirements for risk limits appropriate to each line of business, policies and procedures for risk-management practices, processes for identifying and reporting risks, monitoring compliance with risk limits and procedures, and specification of management's authority and independence to carry out risk-management responsibilities. Additionally, the larger covered companies will need to appoint a chief risk officer in charge of implementing and maintaining the risk-management framework and practices approved by the risk committee, with the rules specifying responsibilities and qualifications for the CRO and reporting relationships.

If not already under way, now is the time to analyze the proposal and its implication, and let the Fed know what changes are needed. If interested, you might want to tune into the upcoming IBM OpenPages webinar where I’ll be discussing the proposed rules, their implications and the challenges they present – March 8, 2:00 pm Eastern Time.

The SEC’s final rules implementing Dodd-Frank’s whistle blowing provisions failed to remove angst among compliance officers and general counsels. While there are some incentives for potential whistleblowers to first report alleged misconduct via internal reporting channels, there’s no requirement to do so – and many are concerned the internal channels will be bypassed. And going outside is on the rise. It’s been reported that in only seven weeks after the SEC’s program began, there were 334 whistleblower filings. Compliance officer concerns are well founded – that bypassing internal channels will deprive the company of being able to investigate and fix problems before they grow, and company personnel will need to play catch up with investigations in reaction to SEC probes.

We can point to many resolved whistle blowing cases for clear evidence of the potential impact of the SEC’s still relatively new program. One homeowner delinquent on her mortgage ultimately received $18 million for reporting suspected use of fraudulent documents in the bank’s foreclosure process. It’s said that in acting against this homeowner – an attorney and career insurance fraud investigator – the bank “picked the wrong person at the wrong time in the wrong place,“ but the robo-signing and other compliance failures were widespread and surfaced from a number of sources. Nonetheless, this individual was one of six whistleblowers receiving $46.5 million said to be part of the five-bank $25 billion settlement. In an unrelated case, a member of a major bank’s quality control team who reportedly was displeased that the misconduct wasn’t reported to regulators, decided to do so herself – ending up with a settlement of $31 million. And there are many more.

Worth noting is a recent survey that indicates more than one-third of American workers have seen misconduct on the job. While many instances of misconduct have been reported through internal channels, it appears the vast majority have not. Why? The survey shows it’s because of fear of not being able to remain anonymous, and of retaliation. Those two factors, plus the possibility of monetary reward, are reported as key factors in incentivizing internal reporting. And the survey also shows two-thirds of respondents didn’t know about the SEC’s program – at least not yet.

Certainly it’s in a company’s interest to be first to know about alleged misconduct, and compliance officers are working hard to upgrade policies, training, communications, and the internal whistleblower systems, all to encourage internal reporting. Actions to ensure anonymity, with positive responses and nothing close to retaliation, are expected to help. Some companies have begun to pay bounties for valued reports. There are indications that when employees believe their reports will be taken seriously without adverse repercussions, there’s increased likelihood for internal reporting. Law firms and others have provided guidance on which companies are acting. However, it remains to be seen the extent to which the possibility of a huge, life-changing payday by the SEC will be too much to resist. Time will tell.

As a compliance officer, you’re dealing with increased regulation and expectations, while related resources are subject to budgetary constraints. Yes, senior managements read the headlines and recognize the reputational and related risks associated with legal and regulatory compliance. But what I and others see are compliance functions having to do more, often without a commensurate increase in resources.

These observations are consistent with a recent Thomson Reuters survey of financial services companies’ compliance professionals. The survey shows that compliance officers are struggling to keep up with increasing demands of global regulation – where rapidly growing regulations and increasing responsibilities, together with limited resources and constrained budgets, are causing compliance personnel to reached a “saturation point.” A whopping 84 percent of respondents say they expect to deal with more information from regulators and exchanges this year, with almost half expecting the level to be "significantly higher." The increase is expected to come from such events as splitting of the U.K. Financial Services Authority, added regulatory power of the European Supervisory Authorities, expansion of new and existing U.S. regulatory agencies resulting from Dodd-Frank, and expanded enforcement of such regulations as the U.K. Bribery Act and the U.S. Foreign Account Tax Compliance Act.

The survey results show that compliance responsibilities and expectations are diverging from realistic capabilities. For instance, with a key objective being to coordinate with other company professionals involved with regulatory risk, over half of compliance professionals say they spend less than one hour weekly with internal audit colleagues, and one third spend less than one hour per week with legal and risk professionals. And while 70 percent of respondents expect the cost of senior compliance staff to increase this year, only 11 percent of companies expect a significant increase in budgets.

Also interesting in the statement that: “While keeping executive management informed of regulatory issues is a key part of the compliance role, more than a quarter of respondents say they spend less than one hour a week reporting to their boards. In the U.S., more than half of the companies surveyed spend less than one hour a week reporting to their boards. This raises concerns about whether executive management is being kept sufficiently informed on compliance issues.” Well, it’s not entirely clear from this as to the extent of interaction between compliance officers and senior management – one hour a week with the board may be just fine, as long as there’s significant interaction directly with executive management.

In any event, what we see is compliance departments already working at a fast pace with high efficiency, but they face risks going forward if responsibilities and resources aren’t recalibrated to be in sync.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.